Through the back door

by VPNHaus | 03/26/2019

Companies are now investing a lot of time and money in securing sensitive information. This is a welcome change, even if these efforts are not always consistent or in the right place. Unfortunately human nature has meant that this effort has not had much impact on the number of reported security incidents, if anything they have increased. Better security is a good thing but it often gets in the way of getting things done. This is why companies are increasingly prioritizing soft factors such as the acceptance of security measures in their security strategy.

Awareness measures help to increase acceptance but often they do not go far enough. Companies often address security in terms of business needs and rarely pay much attention to user's personal devices. The current Mobile Threat Report from McAfee and other research show that this is a critical mistake. The McAfee report describes a new type of trojan similar to TimpDoor that targets the Android operating system. This trojan creates a back door on a mobile device allowing attackers to execute any code remotely, including when the device is connected to the company network.

Trojans, whether for Android or not, are old hat. DressCode, Guerilla and Rootnik are all examples of relatively recent trojans that create back doors. What makes TimpDoor different is how it spreads. Trojans are usually smuggled into apps or games available downloaded officially from the Google Play Store. Google has sharpened its detection and security measures to make this more difficult. TimpDoor circumvents these restrictions by sending an SMS encouraging users to download a fake app to access a voice message. The link includes detailed information on how to install software from external sources which is usually disabled by default on android. As soon as the user activates the link, the trojan is installed on their device and plays a fake message.

Earlier TimpDoor versions were limited to forwarding HTTP traffic through its own proxy. The current version can forward any network traffic transparently via SOCKS. At the moment, TimpDoor is only used for creating a back door but it is only a question of time before additional features are added to the malware. In December last year, TimpDoor was one of most common back door trojans in the USA. It would be a perfect match for current sextortion campaigns that threaten to release private videos of the user if a ransom is not paid. Instead of demanding a ransom, they could include a link for the user to reply. Security analysts from Barracuda Networks have discovered that it is twice as common for employees to be targeted by a sextortion attack rather than Business Email Compromise (BEC).

The most significant problem posed by an infected device is not the exposure of private images or data, although this might be embarrassing for the individual. From a business perspective, it is far more dangerous if an infected device can connect at will to the company network. This renders any perimeter measures absolutely useless and gives attackers a perfect bridgehead on the company network. Companies can only defend themselves by ensuring any bring your own device (BYOD) schemes sandbox devices which belong to users in a protected area and restricted access to the network from the device. Segmenting the company network with a current roles and permissions concept also offers similar protection. Finally, company awareness measures should also address the risks of personal devices.